Adding functions for granting rw access to tube

bigbes · bigbes · commit 0dfecdfdb971 · 2017-05-15T16:15:02.000+03:00
``` -- call from admin user tube:grant(username, { call = true/false }) ``` closes gh-59
diff --git a/queue/abstract.lua b/queue/abstract.lua
@@ -213,6 +213,40 @@ function tube.on_task_change(self, cb)
     return old_cb
 end
 
+function tube.grant(self, user, args)
+    local function tube_grant_space(user, name, tp)
+        box.schema.user.grant(user, tp or 'read,write', 'space', name, {
+            if_not_exists = true,
+        })
+    end
+
+    local function tube_grant_func(user, name)
+        box.schema.func.create(name, { if_not_exists = true })
+        box.schema.user.grant(user, 'execute', 'function', name, {
+            if_not_exists = true
+        })
+    end
+
+    args = args or {}
+
+    tube_grant_space(user, '_queue', 'read')
+    tube_grant_space(user, '_queue_consumers')
+    tube_grant_space(user, '_queue_taken')
+    tube_grant_space(user, self.name)
+
+    if args.call then
+        local prefix = (args.prefix or 'queue.tube') .. ('.%s:'):format(self.name)
+        tube_grant_func(user, prefix .. 'take')
+        tube_grant_func(user, prefix .. 'touch')
+        tube_grant_func(user, prefix .. 'ack')
+        tube_grant_func(user, prefix .. 'release')
+        tube_grant_func(user, prefix .. 'peek')
+        tube_grant_func(user, prefix .. 'bury')
+        tube_grant_func(user, prefix .. 'kick')
+        tube_grant_func(user, prefix .. 'delete')
+    end
+end
+
 -- methods
 local method = {}
 
diff --git a/queue/compat.lua b/queue/compat.lua
@@ -44,10 +44,25 @@ local function get_actual_vinylname(version)
     return check_version({1, 7}, version) and 'vinyl' or nil
 end
 
+local function get_optname_snapdir(version)
+    return check_version({1, 7}, version) and 'memtx_dir' or 'snap_dir'
+end
+
+local function get_optname_logger(version)
+    return check_version({1, 7}, version) and 'log' or 'logger'
+end
+
+local function pack_args(...)
+    return check_version({1, 7}) and { ... } or ...
+end
+
 return {
-    split_version = split_version,
-    check_version = check_version,
-    vinyl_name = get_actual_vinylname,
-    num_type = get_actual_numtype,
-    str_type = get_actual_strtype
+    split_version   = split_version,
+    check_version   = check_version,
+    vinyl_name      = get_actual_vinylname,
+    num_type        = get_actual_numtype,
+    str_type        = get_actual_strtype,
+    snapdir_optname = get_optname_snapdir,
+    logger_optname  = get_optname_logger,
+    pack_args       = pack_args,
 }
diff --git a/t/070-compat.t b/t/070-compat.t
diff --git a/t/080-otc-cb.t b/t/080-otc-cb.t
diff --git a/t/090-grant-check.t b/t/090-grant-check.t
@@ -0,0 +1,117 @@
+#!/usr/bin/env tarantool
+local test = require('tap').test()
+test:plan(2)
+
+local test_user = 'test'
+local test_pass = '1234'
+local test_host = 'localhost'
+local test_port = '3388'
+
+local uri = require('uri')
+local netbox = require('net.box')
+
+local tnt = require('t.tnt')
+
+tnt.cfg{
+    listen = uri.format({ host = test_host, service = test_port })
+}
+
+local qc = require('queue.compat')
+
+test:test('check for space grants', function(test)
+    -- prepare for tests
+    local queue = require('queue')
+    box.schema.user.create(test_user, { password = test_pass })
+
+    test:plan(5)
+
+    local tube = queue.create_tube('test', 'fifo')
+    tube:put('help');
+    local task = tube:take();
+    test:is(task[1], 0, 'we can get record')
+    tube:release(task[1])
+
+    -- checking without grants
+    box.session.su('test')
+    local stat, er = pcall(tube.take, tube)
+    test:is(stat, false, 'we\'re getting error')
+    box.session.su('admin')
+
+    -- checking with grants
+    tube:grant('test')
+    box.session.su('test')
+    local a = tube:take()
+    test:is(a[1], 0, 'we aren\'t getting any error')
+    local b = tube:take(0.1)
+    test:isnil(b, 'we aren\'t getting any error')
+    local c = tube:ack(a[1])
+    test:is(a[1], 0, 'we aren\'t getting any error')
+    box.session.su('admin')
+
+    -- checking double grants
+    tube:grant('test')
+
+    box.schema.user.drop(test_user)
+    tube:drop()
+end)
+
+test:test('check for call grants', function(test)
+    -- prepare for tests
+    _G.queue = require('queue')
+    box.schema.user.create(test_user, { password = test_pass })
+
+    test:plan(9)
+
+    local tube = queue.create_tube('test', 'fifo')
+    tube:put('help');
+    local task = tube:take();
+    test:is(task[1], 0, 'we can get record')
+    tube:release(task[1])
+
+    -- checking without grants
+    box.session.su('test')
+    local stat, er = pcall(tube.take, tube)
+    test:is(stat, false, 'we\'re getting error')
+    box.session.su('admin')
+
+    -- checking with grants
+    tube:grant('test')
+
+    box.session.su('test')
+    local a = tube:take()
+    test:is(a[1], 0, 'we aren\'t getting any error')
+    local b = tube:take(0.1)
+    test:isnil(b, 'we aren\'t getting any error')
+    local c = tube:release(a[1])
+    test:is(a[1], 0, 'we aren\'t getting any error')
+    box.session.su('admin')
+
+    local con = netbox.connect(uri.format({
+        login = test_user, password = test_pass,
+        host  = test_host, service  = test_port,
+    }, true))
+
+    local stat, er = pcall(con.call, con, tube, 'queue.tube.test:take')
+    test:is(stat, false, 'we\'re getting error')
+
+    -- granting call
+    tube:grant('test', { call = true })
+
+    local a = con:call('queue.tube.test:take')
+    test:is(a[1], 0, 'we aren\'t getting any error')
+    local b = con:call('queue.tube.test:take', qc.pack_args(0.1))
+    test:isnil(b, 'we aren\'t getting any error')
+    local c = con:call('queue.tube.test:ack',  qc.pack_args(a[1]))
+    test:is(a[1], 0, 'we aren\'t getting any error')
+
+    -- check grants again
+    tube:grant('test', { call = true })
+
+    _G.queue = nil
+    tube:drop()
+end)
+
+tnt.finish()
+
+os.exit(test:check() == true and 0 or -1)
+-- vim: set ft=lua :
diff --git a/t/tnt/init.lua b/t/tnt/init.lua
@@ -6,7 +6,10 @@ local errno = require('errno')
 local dir     = os.getenv('QUEUE_TMP')
 local cleanup = false
 
-local vinyl_name = require('queue.compat').vinyl_name
+local qc              = require('queue.compat')
+local vinyl_name      = qc.vinyl_name
+local snapdir_optname = qc.snapdir_optname
+local logger_optname  = qc.logger_optname
 
 if dir == nil then
     dir = fio.tempdir()
@@ -23,14 +26,15 @@ local function tnt_prepare(cfg_args)
         end
     end
 
-    cfg_args['wal_dir']              = dir
-    cfg_args['snap_dir']             = dir
+    cfg_args['wal_dir']         = dir
+    cfg_args[snapdir_optname()] = dir
+    cfg_args[logger_optname()]  = fio.pathjoin(dir, 'tarantool.log')
     if vinyl_name() then
-        cfg_args[vinyl_name() .. '_dir'] = dir
+        local vinyl_optname     = vinyl_name() .. '_dir'
+        cfg_args[vinyl_optname] = dir
     end
-    cfg_args['logger']               = fio.pathjoin(dir, 'tarantool.log')
 
-    box.cfg (cfg_args)
+    box.cfg(cfg_args)
 end
 
 return {
@@ -75,5 +79,3 @@ return {
 
     cfg = tnt_prepare
 }
-
-
